Better Laws Needed to Counter Cyber Attacks

Department of Homeland Security Secretary Napolitano called for an “international legal framework” to “govern cyber.” According to Reuters, the Secretary said on July 1, 2011: “Right now there needs to be some sort of international legal framework to address those and that does not yet exist.”

“We are all scrambling but we are scrambling with some of the best minds in the world and we are confident that from a technological point of view we are going to get to a satisfactory resolution of some of these difficult problems.”

A legal framework and a “technological … resolution of some of these difficult problems” are two very different things. In the context of a brief wire service report, appreciation of that distinction is not clear. For more context, I consulted the Department of Homeland Security’s website where there is posted a copy of her official, prepared remarks. Unfortunately, the comments of most interest to the cyber legal landscape do not appear in those remarks. The Reuters story specifies that those comments were made to reporters. Neither of the quotations above appear in the prepared remarks.

Even without citation to specific quotations, I believe it is fair to say that the consensus amongst computer engineers is thatthere is not and will not be a technological solution to cyber security or to cyber crime.

“I would have to say that we are still at the nascent stage. There is no comprehensive international framework” for approaching the issue, [Napolitano] told reporters. The situation was no better in the European Union.

Yet, in her prepared remarks, the Secretary stated: “The United States supports the [Council of Europe’s] Convention on Cybercrime, which is a strong, existing framework for cooperation, and encourages countries to sign the Convention.” For those last two statements to be consistent, she must believe that the Convention is strong but insufficiently effective and that it would be more effective if more countries sign it. Of course, especially given the international (or “non-national”) nature of cyberspace, it ispossible that the addition of more countries to the Convention would generate a satisfactory level of cyber security. The counterargument exists, however, that “[t]he situation was no better in Europe” because Europe’s Convention on Cybercrime is simply not an effective approach.

You can read the actual Convention on Cybercrime at this link. Secretary Napolitano’s prepared remarks are appended, below.